If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Different types of virus detection?

I have been thinking more and more that the industry is going about Malware detection the wrong way...

Who wants to make sure they have the latest virus definitions and other security 'updates' to help keep the peace? Its ugly and the programmer in me keeps thinking there has to be a better way, cos this model sucks...

The end-user generally doesn't understand the nature of these definitions and will often forget to update. This would all be null if they just implemented some basic security measures in the first place (prevention not cure)... but thats for a different discussion...

I have heard on the wind about a different 'style' of malware-detection software. It can have Zero-day malware detection because its based on the nature of the 'software' rather than some predefined rule-set that needs to be updated. [like semantic not syntactic]

Bleh, if this is for malware -- there's a forum (outside of A/V) for that. But anyways... It's always important on the type of software that is being used and I believe that the industry need's to focus on this as it grows to be an important issue. As for your first question though, I do. I like knowing that my software is up to date and that the definitions for the latest malware/viruses are complete.

Re: Different types of virus detection?

I have heard on the wind about a different 'style' of malware-detection software. It can have Zero-day malware detection because its based on the nature of the 'software' rather than some predefined rule-set that needs to be updated. [like semantic not syntactic]

By this do you imply that this software uses some form of ' intelligent pattern recognition' to classify a progam as malware, rather than just matching signatures? Now if some software has this functionality, Then I belive it'll have a solid grounding in heuristic approaches or may be some sort of sand box testing....
But do you think it'll be sucessful? AFAIK, malware doesn't conduct any "signature" activity that gives its true identity away and this implies that heurisitcs are not an attractive alternative either. Sand box testing may work out but it could take ages to put every third party add-on that you have in the "box" and check if it is malware or not.

With the current picture, I don't think things will change for sometime... maybe an year or so later, software will get 'smart' to nail 'smarter' malware

Re: Re: Different types of virus detection?

Originally posted here by darkcod3r By this do you imply that this software uses some form of ' intelligent pattern recognition' to classify a progam as malware, rather than just matching signatures?

I'm not sure... I'm sure there are ways of doing this and I wasn't sure whether methods already existed.

afaik, heuristic analysis still need rules... and virus creators would most definately find these out and write around them!!

Is there nothing else?

I know a linux distribution called "CHAOS" (which has very limited uses...) does hash checking on its kernel and other files every n seconds to ensure integrity (it would restarts OS and/or notify user of event if didn't match) I'm not suggesting we can do this exactly in other OS's... but its a more proactive approach than downloading definitions... Or would this just get written around as well?

I agree, signature-based detection sucks: it's always behind and is reactionary rather than proactive.

Behavior analysis is another way of monitoring software. It doesnt use signatures but does still have rules of course. It's essentially a way to identify allowed (kinda whitelist) behaviors of your system and it's applications.

More and more AV vendors are starting to build this into their apps and other vendors have what are essentially HIPS (Host Intrusion Prevention Systems) (ie.; Cisco Security Agent, McAfee's v8.0i). CSA has established rules of what certain software CAN do and learns. McAfee has added buffer overflow protection, network port monitoring (keep your machine from sending emails,etc), and other features. NOTE: I dont work or suggest these products, just examples.

The anti-spyware vendors are building in AV and HIPS qualities in their software. Eventually AV and anti-spyware vendors/products will merge.

While there's still a ton of work to do (years) I believe behavior analysis/monitoring will replace the currently signature-based tools -- IMO.

[quote]Bleh, if this is for malware -- there's a forum (outside of A/V) for that[quote]

Malware and the like is very close to traditional viruses. More recently, all threats that are not good for your machine are lumped into the generic category of 'malware'. This includes worms, viruses, and such. There is so much sludge on the internet, you can't possible name each sub section in a discussion. That said, this post is appropriate for the area he posted.

I have been thinking more and more that the industry is going about Malware detection the wrong way...

Many folks believe this including me. Here's why.

A decade ago, using signature based solutions was ok. This is because there were not many threats out there (relative to today's staggering figures) and the speed, capabilities and frequency of malware (see generic classification description above) was much less mature.

Fast forward 10 years. Today's malware is developed for completely different purposes. Back in the day, it was AV companies vs. those horrible hax0r kids. The goal then was to simply gain status and cause general chaos. Not anymore. Theft and profit are the main reasons for the malware of today. This changes everything, including the ways needed to defend against the problem. The last I checked, statistics showed that more malware is released in a single day than the entire year of 1996. Absolutely amazing.

So what's the cure. That is a complicated issue but I can tell you from front line experience that using a finite signature file to deal with an infinite number of threats has become almost useless in large environments.

Hueristics are not new and have been a part of AV engines for years. However, development efforts weren't really directed at them because people weren't using the engines. That has changed significantly. I know of one AV vendor who already has a nice hueristics engine that can catch polymorphic threats.

Going further, I believe that the maturation of hueristics won't come without speedbumps. The problem with hueristics is that all people use computers differently so once you get past the hueristic basics that all people do, it means that users and admins have to be bright enough to tune (present day) hueristic solutions. If this pans out anything like the way people deal with personal firewalls, I weep for the future.

Behavior analysis is another way of monitoring software. It doesnt use signatures but does still have rules of course. It's essentially a way to identify allowed (kinda whitelist) behaviors of your system and it's applications.

This is how the human immune system works. Allow what is known to be good and can everything else. I have great faith in this approach and currently have experiments running this type of approach. Thus far, great success.

AFAIK, malware doesn't conduct any "signature" activity that gives its true identity away and this implies that heurisitcs are not an attractive alternative either.

This is half true. While malware doesn't perform a 'single' signature identifiable action, all malware has to communicate. Behavior in the methods, frequency, payloads and protocols are part of the analysis. One more factor is that behavioral analysis acts much like your credit card company. It looks for any change in what it knows is normal behavior for you learned over time (This by the way is how I believe hueristic solutions will get marketed to the masses) and then alerts you if something seems out of place. If you normally spend $30 a year on your credit card and then suddenly there are 15 charges in 3 days, a whistle will sound. You get the idea.

afaik, heuristic analysis still need rules... and virus creators would most definately find these out and write around them!!

Again, half true. Some engines require rules (hybrid) while others are pure hueristic. See Bayesian Rules for more on rule based analysis. For those who want to know how this works:

Where Posterior is the revised probability of some theory A after absorbing some new data, Prior is its probability before revision, * and / are multiplication and division symbols, and the vertical bar marks a conditional probability.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Where Posterior is the revised probability of some theory A after absorbing some new data, Prior is its probability before revision, * and / are multiplication and division symbols, and the vertical bar marks a conditional probability.

Damn Hoss.... I never knew you were that smart....

Unfortunately, it still fails initially unless the probability is so "tight" that it makes the computer unusable.... because you are going to have to place some constant in there to adjust the sensitivity of the system. For your average home user the constant would have to be sufficiently slack to allow them to use their system the way they want to.... at which point security goes right back out of the door again.

Until we come up with an OS that doesn't allow outside executable code to run except in an environment where it is isolated from data then there will always be malware..... and we will always have jobs.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

where shape=1 if it is perfectly smooth, less then one the more it deviates from perfectly smooth.

Ok, back to the subject.
How about this idea:

1) An anti-malware program that uses the hash function described above to check the OS

2) All systems come with two hard drives

3) Only OS and anti-maleware software can be loaded on the first hard drive ( didn't some of us use to do this? )

4) the right functions on first hard drive are physically limited by a key switch ( actual interrupt of the wires which control writes. This allows, when necessary, to update the OS, etc. without too much difficulty, when absolutely necessary. Could also apply to bios changes: I liked the old jumpers )

5) all write functions are written to a swap file on the second drive

6) periodically the anti-malware program checks the hash of the OS and itself ( which is reloaded each time executed ) that is in memory with what is on the first hard drive

7) the anti-malware program also checks hash functions of any executables on the second hard drive, which it stores in a separate swap file only writable by the anti-malware program

8) if the hash doesn't match the OS or anti-malware program, or if it detects a unwanted signature, the first swap file is deleted, the administrator and user notified.

9) all permanent writes to the second hard drive are individually requested of the user.

I'm sure someone could find a way around this, but at this stage that is what I thought of when I read this thread.

Bedtime for me.

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

For your average home user the constant would have to be sufficiently slack to allow them to use their system the way they want to.... at which point security goes right back out of the door again.

Yeah, there is no easy solution to this, which is why you don't have wide spread adoption today. I'm thinking that the only road home on this is to somehow integate it into the OS design. Again, no small or easy task.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden